SIPRNET Title here 3 lines if needed - jsac-dfw. · PDF fileCCRI United States ... solution for validating compliance with the Information Assurance Vulnerability Management (IAVM)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
UNCLASSIFIED
UNCLASSIFIED
What is SIPRNet ?
SIPRNet stands for the Secret Internet Protocol Router Network. It is the Department of Defense’s largest network for the exchange of classified information and messages at the SECRET level. It supports the Global Command and Control System, the Defense Message System, and numerous other classified war fighting and planning applications.
SIPRNet is no different from the Internet other than the domain name which is ‘.smil.mil’ or ‘.sgov.gov’.
SIPRNet uses the Transmission Control Packet – Internet Protocol (TCP-IP) in a secure environment using COMSEC equipment such as a KIV-7M, or KIV-7HSB.
UNCLASSIFIED
UNCLASSIFIED
Page 3
Organizations and Responsibilities
Defense Information Systems Agency (DISA)
Office of the Assistant Secretary of Defense For Networks
and Information Integration (OASD) (NII))
DISA SIPRNet Management Office
Government Sponsor
Defense Security Service (DSS)
DISA Certification and Accreditation Office/Classified
Connection Approval Office (CAO)
Responsible for Defense Information Systems Networks
(DISN) circuits and oversight.
- Final approval authority for all connection requests in
support of sponsor’s mission
- Review SIPRNet requests and initial topologies to
determine whether the proposed DISN solution is
appropriate.
Forwards the approved solution to OASD NII for approval.
Sponsor/owner of contractor connection
Provide funding for circuit and any other required services
for contractor connection to SIPRNet (i.e. Computer
Network Defense Service Provider (CNDSP), email, Domain
Name Service (DNS)).
DAA for accrediting information systems used to process
classified information in industry
Process System Security Plans (SSP)
- Process Connection Approval Packages (CAP) – issues
IATT, IATC and ATC.
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 4 9/6/2015
Circuit Ordering
Government Contracting Authority (GCA)
Requirements include a valid DD 254 that contains a mission support requirement.
GCA Sponsorship
Sponsorship letter must contain the following:
Contract number, cage code, POC, network diagram, ports, websites and
SIPRNet circuit will require a Type 1 encryption device and the user must have the DTD which can be programmed to handle
(store, securely transport, and transfer) COMSEC and TRANSEC keys, Communications- Electronics Operating
Instructions (CEOI), frequency hopping parameters, and net control operating directions for the evolving family of COMSEC equipment crucial to new communications systems.
UNCLASSIFIED
UNCLASSIFIED
AN/PYQ-10 Crypto Fill Device.
Page 6
Required Devices
9/6/2015
Firewall equipment required as part of the
SIPRNet .
1 Evaluated Assurance Level (EAL) 4 firewall
1 Intrusion Detection System (IDS)
UNCLASSIFIED
UNCLASSIFIED
Page 7
CNDSP
DoD 8530 Directive and Instruction provides guidance to
– evaluate Computer Network Defense Service Providers (CNDSP)
– certify and accredit teams
Secondary goal: ensure a higher quality of protection through increased maturity and
understanding of the services provided by the CNDSP.
Contractors must have a CNDSP assignment before they will be allowed connections to the
DISN network.
CNDSP concerns: – Cost
– Army Research Labs (ARL) is the only one accepting new CNDSP services
– Waiting time for sensors as they have to request them from the vendor
Recommendation: ‒ obtain CNDSP service with acquisition of circuit prior to ATO/ATC
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 8
CTO 10-133
A. THE LOCAL ISSM WILL:
(1) DIRECT ALL PERSONNEL TO CEASE DATA TRANSFERS TO REMOVABLE MEDIA ON THE SIPRNet .
(2) DISABLE "WRITE" PRIVILEGES, EITHER THROUGH PHYSICAL CONFIGURATION, SOFTWARE SETTINGS,
HOST BASED SECURITY SYSTEM (HBSS) DEVICE CONTROL MODULE SETTINGS, OR ANY COMBINATION
THEREOF.
(3) SET LOCAL GUIDELINES AND PROCEDURES FOR APPROVAL-DISAPPROVAL OF "WRITE" CAPABILITY TO
REMOVEABLE MEDIA ON THE SIPRNet .
(4) MAINTAIN A LIST OF ALL SYSTEMS THAT HAVE BEEN AUTHORIZED TO "WRITE" TO REMOVABLE MEDIA
DEVICES.
B. SECURITY MANAGERS SHALL:
(1) PROVIDE AUTHORIZED USER APPROVALS TO THE ISSP AND ISSM. PROVIDE FINAL APPROVALS FOR ANY
"WRITE" TO REMOVEABLE MEDIA CAPABILITY WHICH THE COMMAND REQUIRES.
(2) DOCUMENT PERSONNEL APPROVED TO USE "WRITE" CAPABILITIES AT THE LOCAL LEVEL AND RETAIN ON
FILE FOR A MINIMUM OF FIVE YEARS.
(3) ENSURE COMPLIANCE WITH REFERENCE A, PARA. 7.B(2) UPON COMPLETION OF WRITE ACTIVITY.
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 9
Approval Package
After receiving circuit approval/validation and circuit order contractor should be developing all required
security documentation and begin system configuration/hardening.
Required documentation for Connection Approval Package (CAP) package submittal to DISA Classified
• The DISA CAO manages the Connection Approval Process and security requirements for the SIPRNet .
• DISA CAO verifies CAP is complete with all required documentation.
• Once circuit is installed at Contractor facility (DMARC) and security package approved by DISA CAO, DISA will issue an Interim Approval To Test (IATT).
– Note: Prior to DISA scheduling technician to install/configure CSU/DSU, KIV-7 etc. the following items are required:
• 1) DSS ATO
• 2) CAP approved by DISA CAO
– Burn-in & implementation by GNSC
• After burn-in and implementation by the GNSC the CAO will initiate a remote compliance vulnerability scan. Once a successful scan has been completed, the CAO will issue an IATC/ATC.
• Contractor on SIPRNet
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 11
SIPRNet Process Flowchart
Contract requires SIPRNet Connection
DD-254
START
DoD Sponsor submits access request to JS/J6
JS/J6 validates
OSD/CIO approves
DISA accepts OSD/CIO letter and assigns control No.